Best way to define multiple processors based on a group of conditions

Elastic Stack Beats
, ,
1

Hi all I have been trying to work out the way define multiple processors based on a group of conditions. The below snippet doesn't seem to be working but hopefully it will give you an idea of what I am trying to accomplish.

# winlogbeat.yml
processors:  
  - when.and:
    - equals.event.module: 	"sysmon"
    - equals.winlog.event_id: 	1
    - equals.user.id: "S-1-5-18"    
    # if the above conditions are met then run the following processors
	
        # processor01
      - drop_event.when.and:
        - equals.process.executable: "C:\\Windows\\System32\\smss.exe"
        - equals.process.parent.executable: "C:\\Windows\\System32\\smss.exe"
        # processor02
      - drop_event.when.and:
        - equals.process.parent.executable: "C:\\Windows\\System32\\smss.exe"
        - or: 
          - equals.process.command_line: "%%SystemRoot%%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16"
          - equals.process.command_line: "%%SystemRoot%%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16"
        # processor03 ...

The documentation details how do define conditions within the processor itself:

processors:
    - <processor_name>:
        when:
          <condition>
        <parameters>

but I am trying to first define some conditions before even defining the processor.
I couldn't find the guide on how to used the an AND/OR statement inside an IF statement in the processors documentation so I guess it's acheiveable with a when statement? Not sure if that is even supported. Let me know if there is best/supported way to accomplish this. I essentially want want to define multiple processors but based on multiple conditions. I know I can define the original conditions directly under the processor but there will be tens of those processors so I want to cut down in the number of lines and make it easier to read/update.

Any help will be appreciated.

Kind regards

2

YAML files support anchors. Please refer Using variables in YAML files which should provide way to define and reuse conditions.

3

Hi @kumarabhi , thanks for the advice. I have looked into your proposed solution. After reading about yaml anchors, I think I understand the concept but I don't think I am using it right. I have tried doing something like this:

processors:  
  - sysmon_process_create_by_system: &sysmon_process_create_by_system
    - equals.event.module:  "sysmon"
    - equals.winlog.event_id:  1
    - equals.user.id: "S-1-5-18"    

     # Drop Session Manager process Start
  - drop_event.when.and: 
    - *sysmon_process_create_by_system
    - equals.process.executable: "C:\\Windows\\System32\\smss.exe"
    - equals.process.parent.executable: "C:\\Windows\\System32\\smss.exe"

Event though the config test says evertying is OK, the above lines do not appear in the export config output and the events are still making it to the elastic cluster.

image
image1385×149 20.5 KB

I must be doing something wrong.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.